Code Is Not (Always) Law

Sometimes, the law is the law, industry experts say.

AccessTimeIconDec 7, 2023 at 8:48 p.m. UTC
Updated Jun 14, 2024 at 5:26 p.m. UTC

A French court recently determined that Code Is Law. Essentially. And the decision — somewhat ironically for an industry that usually accepts that exploits happen (and may even be a necessary step towards advancing protocol security) — has put DeFi in a bind.

This is an excerpt from The Node newsletter, a daily roundup of the most pivotal crypto news on CoinDesk and beyond. You can subscribe to get the full newsletter here.

In February, the Avalanche-based automated market maker Platypus Finance was breached, with the thieves making away with $8.5 million. As is now routine, the attackers were quickly identified and the stolen funds traced down.

What happened next is somewhat atypical, with the ultimate results possibly setting a troublesome precedent: Platypus’ operators and community decided to pursue legal action against brothers Mohammed and Benamar M. (last name redacted in court documents).

While not the first time blockchain thieves have been brought to court, the situation is something of an enigma considering that crypto, at least as initially conceived, is designed to operate outside the bounds of the law.

The Bitcoin blockchain doesn’t need a money transmitter license to function, it just needs to exist. Likewise, since the earliest days of the crypto industry, the goal has usually been to design systems that work for all — open, global, censor-resistant platforms do what they do whether used by a crook or a saint.

Key to this egalitarian standard has been the idea that the code is the code, and that is what matters most. Judges, regulators and politicians may try to set parameters around what types of financial services can be accessed and by whom, but in crypto, such restrictions cannot apply (except to the extent that centralized companies, like Coinbase, must implement KYC/AML procedures).

There is some debate whether Mohammed was being sincere when he argued in court that he was a “white hat” hacker, only looking to keep 10% of the proceeds for discovering a vulnerability in the code. He claimed he was an "ethical hacker" who took the "endangered funds" so the protocol would learn a lesson and plug its hole.

Likewise, there is an argument to be had whether Platypus acted rightly in seeking justice through the legal system. The victims certainly had a legal right to press charges, as any victim of a theft would. But if the system executes, it executes. And if the code is the law, then all users have to live with the fact that the code contained a vulnerability that was exploited.

Curiously, the French judge overseeing the case seemed to take that same view when dismissing the charges against the brothers. According to a Le Monde article, he compared the financial exploit of Platypus, which seemingly had an infinite money bug (accessible through a DeFi-native “flash loan”), to exploiting a vending machine to get extra bags of chips.

Many in DeFi are calling for Platypus to appeal the controversial decision by taking the matter to a higher court. Code may be code, but a theft is a theft, they argue, and restitution is justified. This seems to be a piece with the growing sense of maturity across the industry. A decade ago, it may have been OK to say crypto could self-regulate, that bad actors would be dealt with through the free market and that code reigns supreme.

“Stealing is bad," Rainbow's Mike Demarais said.

Today, after countless DeFi hacks, the proliferation of crypto scams and the implosion of exchange like Mt. Gox, it seems downright irresponsible and naive to say the code is the code and that is that. Personally, I think crypto’s change of heart is for the better: If the industry is to grow, it needs to integrate with the world, and that means integrating with the law.

At the same time, I recognize that what makes crypto powerful is that these self–executing platforms are extra-judicial. Bitcoin wouldn’t be Bitcoin if it started sanctioning or KYCing users, for instance. The tech itself, as the code is written, is opinionated. Crypto has a bias towards anti-authoritarianism and equality before the code.

But crypto isn’t a monolith, and this is a complicated topic that is foundational to nearly everything that has been built in blockchain so far. CoinDesk reached out to a number of protocol founders and industry expert lawyers to get their take.

Neeraj Agrawal, head of communications at Coin Center:

“We've [Coin Center] always taken the view that cryptocurrency use is regulated by applicable laws”

Scott Lewis, creator of DeFiPulse, Slingshot and the Canto Network:

“I might be misunderstanding, the exploiting a vending machine is stealing though, right? Is that an example in favor of the code is not law side? Isn’t that the canonical ‘code is not law’ example? Using an error in someone’s code to take people’s money is not OK, and it shouldn’t be legal. Laws and rules around smart contract hacks are unclear and should be clarified, but making them all legal is not the answer"

Austen Campbell, Columbia Business School professor and former BUSD portfolio manager at Paxos:

“If crypto wants to go mainstream, it needs an environment where regular people can transact with confidence and know the rules of the system, not be at the mercy of exploits and hackers. It can’t be the case that everyone has to be a crypto expert.”

David Hoffman, co-founder of Bankless:

"Code is Law is a thought experiment, not a prescription."

Christine Kim, Galaxy Digital vice president of research:

"The idea that ‘code is law’ or that the rules enforced and not enforced by a smart contract have the final say over who owns the assets on a blockchain is untrue because in most cases, especially DeFi hacks, protocol teams like the Kyber development team will rely on law enforcement for the retrieval of user funds. When code fails, which happens with some frequency with DeFi protocols, the law is the law."

Gwart, gwart of gwart:

“Code being law is increasingly difficult with the complexity of the system. It’s probably naive to say “code is law” in an absolutist way. My more interesting take perhaps is that these types of decisions, and maybe other decisions that lean on law being law, really make us as a crypto community think about the value of these systems if they are ultimately enforced by the state. I’m not sure what the “correct” equilibrium is here but I do sometimes wonder how valuable these tools can be if contracts are ultimately reliant upon common law or state law or whatever to work out these situations.”

Jon Rice, former editor in chief of Blockworks, Cointelegraph, Crypto Briefing:

“The concept of decentralization is about increased participation in our financial system, not about anarchy. 'Code is Law' is a tenet of DeFi that essentially absolves the deployer of responsibility, and passes it instead to the user. This isn't a recipe for greater participation, it's just another obstacle for the average user - and thus another hurdle for our industry in attracting both capital and users.
“It's encouraging to see courts begin to look more closely at guardrails for DeFi, but only if those decisions place the burden of responsibility on those who should know best: The people creating and deploying the code.”

Conor Ryder, head of research at Ethena Labs:

“On one side I agree that we are lobbying for code to replace the need for trust, interpretations of law etc. Code is law does fit that narrative but I do think it’s too extremist.
“It’s a very dangerous precedent to set and at the end of the day it’s still an attack on a security vulnerability — if a Web2 company had a similar vulnerability that was taken advantage of, you can be sure that there would be legal action taken. Encouraging these types of attacks is definitely met with negativity for a still relatively immature space and if he really was an ‘ethical hacker’ there were likely more subtle ways he could have raised the issue and still been compensated.”

Nathan Schneider, professor of media studies at University of Colorado Boulder, co-founder of the Metagov Project and creator of "exit to community" theory:

It is a shame that crypto disputes and bad behavior are largely being addressed in conventional courts. It is a reminder that crypto has so far failed on the promise of producing better forms of governance and accountability than what we had before.

Cami Russo, co-founder of The Defiant:

"I interpret code is law as whatever the outcome is to code that is executed by smart contracts, cannot be interfered with and should be upheld both via social consensus around blockchains and also in actual courts. I think there is more nuance to the concept.
"I believe intent matters of both the developer of the code and the user of the code. The purpose of the protocol or dapp and the intention of the user of that dapp should be taken into account. If a user of a protocol is achieving a certain outcome by interacting with the code in a way the developers did not intend, then that should weigh into whether that outcome should be changed or reverted, especially if other users are hurt.
"A simplified way of seeing this is, a lock’s intended purpose is to prevent access from say a safe. Someone might know how to pick that lock and access funds inside the safe. They found a “vulnerability” in that lock, but they’re not using it as it was intended and they have produced an outcome that was not desired by the manufacturers of the lock or those keeping money on the safe. In this case, external parties should interfere with the outcome. The same is true for smart contracts."

Nelson Rosario, founder of Rosario Tech Law and professor of law at Chicago-Kent College of Law:

“There will always be a space for Code is Law interpretations of on-chain activity, but whether that is good or not will likely be a case-by-case determination.”

Maria Bustillos, Brick House co-founder:

“In general I think it's not a bad idea to refer to the [Bitcoin] white paper; this tech was developed specifically to address significant weaknesses in legacy financial systems.”

Michelle Lai, Electric Coin Company board member and governance councillor and Synthetix:

“The code is law camp is slowly being coerced into compliance, for the sake of their freedom. I'm not saying i agree fully with code is law, nor with full compliance, but the Overton window shifted towards compliance for many projects that might have been more pro-privacy, due to the heavy handedness and cowboy behavior of some regulators.”

Eva Beylin, director of the Graph Foundation:

"Code is law is not as binary as we're making it seem. Code can be law and also there are other laws that we abide by. In the case of the French decision it's quite frustrating that a precedent is being set that code is law = no other laws apply. For example, if someone enters the right code to break into your house, isn't it still called robbery/breaking and entering? Just because they followed the code (aka entered the pin), doesn't mean the act itself surrounding it was legal.
"Same thing with sim swaps and hacking. Just because someone got access to your sim or account because they happened to know your password/pin doesn't mean that it's not illegal (e.g. doesn't mean that it's legal)."

Jared Grey, Sushi CEO:

“Code is the law until it's exploited in the face of criminality, when the general rule of law supersedes. Tl;dr: I don't think you can excuse criminality through the use of technology. What is criminal is a wider discussion.”

Stephen Palley, litigation partner and co-chair of Brown Rudnick's Digital Commerce group:

“The catchphrase "Code is Law" comes from a book written by law professor Larry Lessig. His more nuanced discussion of this concept has become shorthand by people working on crypto projects to mean something like ‘anyone who interacts with a blockchain protocol should be bound by anything that results from that interaction -- the code, well or poorly written, determines and is the final boss of outcomes.’ Under this sort of rubric, thus, there are no mistakes and the concept of a hack or exploit isn't recognized. Whether or not U.S. courts will follow the French court's reasoning remains to be seen. You can get pretty far with terms-of-service or a user agreement, that will bind a user to consequences and to accept all results, whether expected or unexpected. It's less certain that a U.S. court will agree to consequences that involve conduct that appears fraudulent or illegal, as the general rule is that you can't consent to a crime. Now, there's a ton of nuance here that I can't unpack in a simple quote but I think we can expect some US Courts in some circumstances to bind users to the results of irreversible code, as long as the consequences of software errors are knowingly and voluntarily waived.”

General counsel for Alliance, Mike Wawszczak:

“Let's be clear about what "code is law" might mean to people like lawyers and judges. It cannot mean "code trumps law" or "code is on equal footing as law." Instead, it means something like "the law defers to the outputs of code in its normal functioning, whether that code is well-written or not, whether the function was intended by the developer or not, whether other users of the code are affected in some way or not." It's a deference, not a trump card.
“The judge in Platypus appears to be saying that there is no reason to overrule the deference here, but that does not mean another judge lacks that power.

James McGirk, content lead at Spectral:

"It's a shame we're moving away from our original principles," McGirk says, "But it's a sign of maturity. Industry is starting to realize there's more to blockchain than digital rat poison."

Jake Brukhman, founder of CoinFund:

“In general, I would say that code is law refers to transactional hardness and often lower counterparty risks associated with blockchains. This is a key and central innovation, but I also think it can work in tandem with traditional law. Blockchain primitives are tools in a toolbox. I think the comparison to a vending machine is meaningful, I’m just not sure what conclusion about code-is-law to take from it.”

Paul Dylan-Ennis, professor at the University of Dublin and CoinDesk columnist:

“The Platypus case brings us into direct contact with a contradiction in DeFi. On one hand, we want hackers to be punished. On the other, we are supposed to be building decentralized protocols that take the state out of the mix. Until we get clear on what Code is Law really means we’ll be confused by decisions from the traditional legal system. The way I see it, this case is another example of how we tend to have these concepts, but they are more like memes than well thought of principles. and we let the contradictions hang around w/o trying to solve them. I agree that the principle is worth keeping, though I'd veer to the side that says the problem is actually that the code is obviously not up to scratch to actually be our law.”

Brian Frye, professor of law at the University of Kentucky's J. David Rosenberg College of Law and conceptual artist:

“Code is law” is a helpful way to think about the efficiencies blockchain enables, but the market still has to take account of how the law understands property. Because the law doesn’t necessarily care about what the blockchain says.

Lex Sokolin, partner at Generative Ventures and CoinDesk columnist:

“We want to be in a place not just where code is law, but where law is code, and where arbitration and conflict resolution can happen through digital means. Until software can really deal with the many complexities of human behavior — perhaps through LLMs [AI software] — deterministic and narrow software implementations like smart contracts aren’t sufficient to resolve morally complex issues. That’s the precedent set by “the DAO” and it has served Web3 well. Further, law most often is the collective human wisdom codified through exceptions and errors. It is not recorded in a modern way, but it comes from timeless experience. Crypto needs a balance between anarchist caveat emptor and some semblance of communal rejection of immoral actions.”

Krystal Scott, artist:

“I do agree code is law is kind of the whole reason for everything in the first place. If everyone just started going to court we’re going to eventually just end up back in the exact bureaucratic structure crypto was invented to escape . But it is quite comical that the court just acquitted, perhaps the bureaucracy is also growing and adjusting with the space. Likely it’s all just coming together tbh crypto is becoming less of an outsider thing."

Odysseas.eth, of Phylax:

I think that code is law is a silly idea because we give value to Ethereum. Ethereum has value and Ethereum's classic doesn't because we, unanimously, agreed that we want to do the fork to roll back the DAO hack. So, it's always the social layer that ends up giving value to things. Thus, it makes sense that if someone makes the code behave in a way that the original designer didn't want, then it's ok to pursue legal means. If someone breaks into my house, they make the door or window behave in a manner that was not intended (e.g. break when locked). that doesn't mean that as a society we accept that and say force is law.
“In effect, the community that participates in the network (namely the miners and the users that generate the fees) are the sovereign entities, not the network itself. Because the sovereign is the person that decides the exception. That watches the watchmen sort of speak. It's sovereign value because we, as a community, can decide when something is not ok and do something about it. Fiat is not because it's not the community that decides, but a small clique of people with questionable incentives.

Miguel Morel, CEO of Arkham Research:

“In the online world of decentralized finance it makes sense that code is law, one expects smart contracts to follow whats been written in the code without exception. However, humans who are the ones using these smart contracts exist in the physical world of jurisdictions and stately governance — this supersedes anything written in code, and therefore I’d expect it to take precedence over anything we believe in crypto.”

L0la L33tz, author:

“Humans have been trying to regulate our way of life for centuries, but math will always route around our systems. Code is the only law that is always enforceable. This basically means: Even if this case was decided differently, then the next person that writes [bad] code comes along, which will also be exploited, and there's really nothing that can stop them, and you can try to ‘enforce’ your law, but maybe they're smarter and won't get caught (i.e. escape the law).

Scott Fitsimones, creator of AirGarage:

“If you leave the front door and get robbed, it’s still a crime. Similarly, courts should uphold the intent of smart contract even if there was a programming error that led to an exploit. It’s a win for the whole ecosystem when there is justice and consequences for bad actors. The Platypus case sets a dangerous precedent that the legal system doesn’t apply to smart contracts. The French court is saying cops aren’t coming because the front door was left ajar.”

Arthur Brietman, co-founder of Tezos:

'Law is law, and depending on what the law says, it won't always align with code. But good law sets defaults, and minimizes the need for parties to enter into contractual agreements to depart from those defaults. This is, in a nutshell, the wisdom of Coase's theorem. By that standard, I do not believe that strictly following the code is the best a legal system can do, there is room to define meaningful abuse without introducing arbitrary discretion. This does not mean code is useless, shifting the burden of a legal complaint is huge! 'Defaults' are powerful."

The Blockchain Socialist:

"My view on code is law comes from both criticizing the original phrase from Lawrence Lessig and from actually talking to him in a podcast episode. Essentially code can act as an instrument of social control, but it is not equivalent to law. Real legal systems possess inherent ambiguities to accommodate diverse situations, which code often lacks. This inflexibility of code means it cannot foresee all potential scenarios where law might be applied, underscoring the limits of treating code as law where courts are used to tackle ambiguous situations. Rather than code is law, I prefer saying that code is political."

Mike Demarais, co-founder of Rainbow wallet:

Stealing is bad

UPDATE (DEC. 8, 2023): Adds comments from professors Brian Frye and Nathan Schneider.


Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk employees, including journalists, may receive options in the Bullish group as part of their compensation.

Daniel Kuhn

Daniel Kuhn is a deputy managing editor for Consensus Magazine. He owns minor amounts of BTC and ETH.